Essays in the Category "Identity Theft"

Page 1 of 1

Why Technology Won't Prevent Identity Theft

  • Bruce Schneier
  • The Wall Street Journal
  • January 9, 2009

Hebrew translation

Impersonation isn’t new. In 1556, a Frenchman was executed for impersonating Martin Guerre and this week hackers impersonated Barack Obama on Twitter. It’s not even unique to humans: mockingbirds, Viceroy butterflies, and the brown octopus all use impersonation as a survival strategy. For people, detecting impersonation is a hard problem for three reasons: we need to verify the identity of people we don’t know, we interact with people through “narrow” communications channels like the telephone and Internet, and we want computerized systems to do the verification for us…

Read More →

State Data Breach Notification Laws: Have They Helped?

  • Bruce Schneier
  • Information Security
  • January 2009

This essay appeared as the second half of a point/counterpoint with Marcus Ranum. Marcus’s half is here.

THERE ARE THREE REASONS for breach notification laws. One, it’s common politeness that when you lose something of someone else’s, you tell him. The prevailing corporate attitude before the law—”They won’t notice, and if they do notice they won’t know it’s us, so we are better off keeping quiet about the whole thing”—is just wrong. Two, it provides statistics to security researchers as to how pervasive the problem really is. And three, it forces companies to improve their security…

Read More →

Solving Identity Theft

  • Bruce Schneier
  • Forbes
  • January 22, 2007

Identity theft is the information age’s new crime. A criminal collects enough personal data on the victim to impersonate him to banks, credit card companies and other financial institutions. Then he racks up debt in the victim’s name, collects the cash and disappears. The victim is left holding the bag.

While some of the losses are absorbed by financial institutions—credit card companies in particular—the credit-rating damage is borne by the victim. It can take years for the victim to completely clear his name.

So far, we’ve seen several “solutions” to this problem: forcing companies to disclose when they lose personal information, forcing companies to secure personal information, forcing financial institutions to enhance their authentication procedures. Unfortunately, these won’t help…

Read More →

Does Secrecy Help Protect Personal Information?

  • Bruce Schneier
  • Information Security
  • January 2007

This essay appeared as the second half of a point-counterpoint with Marcus Ranum. Marcus’s side can be found on his website.

Personal information protection is an economic problem, not a security problem. And the problem can be easily explained: The organizations we trust to protect our personal information do not suffer when information gets exposed. On the other hand, individuals who suffer when personal information is exposed don’t have the capability to protect that information.

There are actually two problems here: Personal information is easy to steal, and it’s valuable once stolen. We can’t solve one problem without solving the other. The solutions aren’t easy, and you’re not going to like them…

Read More →

The Anti-ID-Theft Bill That Isn't

  • Bruce Schneier
  • Wired
  • April 20, 2006

California was the first state to pass a law requiring companies that keep personal data to disclose when that data is lost or stolen. Since then, many states have followed suit. Now Congress is debating federal legislation that would do the same thing nationwide.

Except that it won’t do the same thing: The federal bill has become so watered down that it won’t be very effective. I would still be in favor of it—a poor federal law is better than none—if it didn’t also pre-empt more-effective state laws, which makes it a net loss.

Identity theft is the fastest-growing area of crime. It’s badly named—your identity is the one thing that cannot be stolen—and is better thought of as fraud by impersonation. A criminal collects enough personal information about you to be able to impersonate you to banks, credit card companies, brokerage houses, etc. Posing as you, he steals your money, or takes a destructive joyride on your good credit…

Read More →

Make Businesses Pay in Credit Card Scam

  • Bruce Schneier
  • New York Daily News
  • June 23, 2005

The epidemic of personal data thefts and losses – most recently 40 million individuals by Visa and MasterCard – should concern us for two reasons: personal privacy and identity theft.

Real reform is required to solve these problems. We need to reduce the amount of personal information collected, limit how it can be used and resold, and require companies that mishandle our data to be liable for that mishandling. And, most importantly, we need to make financial institutions liable for fraudulent transactions.

Whether it is the books we take out of the library, the Web sites we visit, our medical information or the contents of our E-mails and text messages, most of us have personal data that we don’t want made public. Legislation that securely keeps this data out of the hands of criminals won’t affect the privacy invasions committed by reputable companies in the name of price discrimination, marketing or customer service…

Read More →

Customers, Passwords, and Web Sites

  • Bruce Schneier
  • IEEE Security & Privacy
  • July/August 2004

View or Download in PDF Format

Criminals follow money. Today, more and more money is on the Internet: millions of people manage their bank, PayPal, or other accounts—and even their stock portfolios—online. It’s a tempting target—if criminals can access one of these accounts, they can steal a lot of money.

And almost all these accounts are protected only by passwords.

You already know that passwords are insecure. In my book Secrets and Lies (published way back in 2000), I wrote: “…password crackers can now break anything that you can reasonably expect a user to memorize.”…

Read More →

Sidebar photo of Bruce Schneier by Joe MacInnis.